T-Connect is a suite of connected vehicle services offered to Toyota drivers that enables them to perform multiple actions from their smartphones, including planning journeys, locating vehicles, viewing driving analytics, scheduling services and maintenance, and obtaining accident assistance.
More than 300,000 drivers was registered for the service since July 2017, and that the potentially compromised data includes email addresses and customer management numbers. The incident came to Toyota’s attention on 15 September 2022.
“In December 2017, the T-Connect website development subcontractor mistakenly uploaded part of the source code to their GitHub account while it was set to be public, in violation of the handling rules,” the company said in a statement.
“As a result, it was revealed that from December 2017 to 15 September 2022, a third party was able to access part of the source code on GitHub. It was discovered that the published source code contained an access key to the data server, and by using it, it was possible to access the email address and customer management number stored in the data server.”
Toyota said that the source code had now been locked down and affected customers informed. It said it had been unable to confirm whether or not the data was actually accessed or downloaded at any point, but that this could not be ruled out. Also, it has not observed or confirmed any abuse of the at-risk information at this stage.